Physical security – locking down GDPR compliance

Say ‘GDPR’ and the first thing that springs to mind is ‘cyber security’. But physical security is equally important to compliance, yet often it’s overlooked. On the first anniversary of the General Data Protection Regulation coming into effect, we look at the physical security of IT hardware and data, reveal where risks lie and look at the products that help companies stay compliant.

Let’s take this offline

With hacking and malware making headlines, it’s unsurprising that companies have thrown time and resources at tackling the digital challenge of data protection. But the GDPR is concerned with personal data handled by organisations in both electronic and physical formats. The regulation puts the burden on organisations to prove that they are acting in accordance with privacy protection laws, and that includes taking preventative action. Therefore, physical security is integral to GDPR compliance. So, why are companies still falling short in the offline space?

Underestimating the risks

The threat of a physical security breach is very real. The UK’s data protection regulator, the Information Commissioner’s Office (ICO), recorded 4,056 data security incidents between July and September 2018. Of these, over 80% were non-cyber related – which includes device loss and theft as well as the unauthorised observation of data[1]. Despite the risks, more than a third of businesses do not have a security policy in place to protect laptops, mobile devices and other electronic assets[2].

Why? One of the main barriers to better uptake of physical security measures is that companies perceive that they already operate in a secure environment. With CCTV, employee passes and sometimes even security personnel in place, it can appear the likelihood of theft is low. However, 58% of laptops are stolen from the office and 85% of IT managers suspect internal theft[3].

Let’s get physical

One company that understands the risks, barriers and solutions to physical security and GDPR compliance is Kensington. The world-leader in physical security for IT hardware and the originator of the Laptop Lock, Kensington has the insight and products that companies need to ‘take preventative action’ to stay on the right side of the GDPR.

Lock it down

The most basic and effective measure to prevent opportunistic theft is a laptop lock. With over half of laptops stolen from offices, it’s clear that current security measures aren’t working. And the cost of a stolen laptop is not just a potential fine from the regulator, it’s also the time and hassle of tracking the offender, lost productivity and the cost of replacing the machine. Laptop locks are quick and easy to use.

The carbon steel cable locks into the machine and can been looped round a table leg or anchor point. When the user wants to free their laptop, it’s as simple as turning a key or combination lock. Locks are a low-cost solution that instantly cuts risk, and every machine matters. In 2018, one laptop was stolen containing the unencrypted personal details of 37,000 customers of Eir, an Irish telecoms provider – a data breach which could see Eir facing a hefty fine under the GDPR later this year.  Even machines without a Kensington security slot can be secured – MacBooks, PCs and today’s thin and light laptops. You can find the right lock for your device in moments with this handy selector: www.kensington.com/securityselector  

The same principle applies to Kensington’s SecureTrek™ luggage range, which can be anchored in locations where theft is a concern such as airports, hotels and tradeshows – ideal for mobile workers.

A poke for prying eyes

Visual hacking is another problem. Many of today’s screens are designed to have a wide viewing angle and high resolution – great for group working, but not so good for data privacy. And this low-key form of hacking often goes unnoticed. People don’t expect it. And if you’re absorbed in your work, you’re unlikely to realise someone else is equally interested in your screen.

Yet, a covert visual hacking experiment showed that 52% of screens are at risk[4]. And those prying eyes might belong to an ill-intentioned colleague or a shadowy bystander in a café. Luckily, this threat is easy remedied by a privacy screen filter. It limits the screen’s viewing angle, providing visual protection for confidential data. Privacy screens are touchscreen compatible, easy to attach and suitable for monitors, laptops and tablets.

Better still, Kensington makes it painless to pick the right privacy screen filter, with a range that supports over 52,000 devices and a simple selector tool. www.kensington.com/protectmyscreen

Even mice and keyboards aren’t safe

Could your wireless mouse and keyboard cause a security breach? In short, yes. We tend to assume wireless technologies are safe as they’re so widely used, but they are also a potential weak link, leaving sensitive information open to being accessed by unauthorised parties. As you type and click, the mouse and keyboard transmit data to a wireless receiver. A hacker could intercept this and gain passwords and other confidential information. AES-encrypted mice and keyboards prevent this by transmitting keystrokes and clicks as complex codes. It’s simple to swap old mice and keyboards for ones that keep information private – another physical measure the regulator would approve of.

Put your finger on it

Passwords aren’t infallible, especially as many people set easily-guessable ones, leave the default password in place or share login details with colleagues. This makes it easy for data to fall into the wrong hands and cause a GDPR headache. Fingerprint sensors get around this problem, only allowing the authorised user to access a device. Compatible with enterprise-level solutions such as Windows Hello, Google G-Suite, Azure, Dropbox and many others, it’s a secure and reliable measure that prevents data loss.

No port in a storm

Insider threats can be as destructive as anonymous hackers. Stolen identities are a lucrative business and a malicious employee can easily connect a hard drive and download files from an unattended laptop. USB port locks and blockers put a stop to this, reducing the risk of data copying and uploads of malware to the network. These locks are smart enough to protect ports while still enabling secure use of authorised USB devices. It’s a small but powerful product.

Exploit the opportunity in physical security

Organisations need a physical security policy to be compliant with the GDPR. And they need to implement that policy with the right products. This could be a valuable conversation to have with your customers. It’s helpful for them and holds good sales potential for you. To find out more about how Ingram Micro can support you with Kensington opportunities, contact us on 0371 973 3000.


SOURCES

[1] 6. Information Commissioner’s Office – ico.org.uk/action-weve-taken/data-security-incident-trends

[2] Kensington IT Security & Laptop Theft Survey, August 2016

[3] IDC Executive Brief 2010 – Laptop Theft: The Internal and External Threat

[4] Ponemon Institute Visual Hacking Experiment, 2016